WTVP/Tickets
| WTVP |
|---|
| Overview • List of WTVP Services • WTVP-specific Content-Types • Status Codes |
| Concepts |
| Tokens • Tickets • Capability Flags |
| Headers |
| Header List • Data Types • Common Request Headers |
| Processes |
| First-Time Registration • Headwaiter (Login) • Messenger Services • Favorites • Checking for new mail • Retrieving settings • Obtaining new wtv-tickets • Smart Card • Miscellaneous |
| URLs for WTVP Services |
| wtv-1800 • wtv-aroundtown • wtv-author • wtv-center • wtv-chat • wtv-content • wtv-cookie • wtv-customscript • wtv-disk • wtv-epguide • wtv-favorite • wtv-flashrom • wtv-guide • wtv-head-waiter • wtv-home • wtv-intro • wtv-log • wtv-mail • wtv-news • wtv-notices • wtv-partner • wtv-passport • wtv-register • wtv-setup • wtv-smartcard • wtv-spot • wtv-star • wtv-tricks • wtv-tutorial |
A ticket is a piece of opaque data that, to put it simply, authorizes client sessions on a server. In WTVP, they are used to authorize user sessions throughout the entire WebTV/MSN TV service after a user logs in.
Overview
After a box logs in through the headwaiter service, it receives among other data an opaque value through the server's responses, residing in the header wtv-ticket. For any further services a box would like to connect to, it will have to send the ticket in a wtv-ticket header first to authorize access for its current session.
The lifetime of these tickets are unknown as of writing, but we for sure know they aren't indefinitely available as there has been a service recorded to renew tickets for box sessions.
Technical
WebTV/MSN TV's tickets can technically take on any value and can be generated in any way the underlying service sees fit. For the official service, though, tickets are Base64-encoded BLOBs, that when decoded expose binary data. According to internal Microsoft documents, the actual tickets are encrypted "with a service key" [1] and the encrypted form is what is likely sent between boxes and frontend servers. While the algorithm used for encrypting tickets is at the moment, unknown, the key used to encrypt the ticket is currently believed to be a 128-bit key. The original key used in production, according to our sources, had not been changed for the duration of the WebTV/MSN TV service's life.
When decoded, it is believed the tickets look something like this:
38/|9/|wtv-user-id/|129517092/|12/|wtv-user-name/|AR_129517089/|2/|wtv-human-name-first/|AR/|9/|wtv-human-name-last/|129517089/|11/|ip/|192.168.1.3/|1/|wtv-chat-restriction/|0/|1/|user-is-the-subscriber/|1/|5/|wtv-messenger-authorized/|false/|14/|user-list/|1,129517092;1,/|3/|wtv-programs/|one/|6/|wtv-subscriber-category/|normal/|12/|ANI/|950000000000/|5/|subscriber-zip/|11111/|2/|subscriber-country/|US/|2/|tricks-access-level/|40/|1/|traxs-temp-access/|0/|8/|traxs-time-stamp/|5d8c5060/|8/|traxs-passwd-hash/|873241cb/|13/|subscriber-billing-address/|463 Bryant St/|12/|subscriber-billing-city/|Redwood City/|2/|subscriber-billing-state/|CA/|12/|subscriber-phone-day/|123-456-7890/|2/|subscriber-billing-status/|ok/|1/|subscriber-is-canceled/|0/|1/|service-tier/|1/|9/|wtv-subscriber-id/|129517089/|16/|wtv-client-serial-number/|n00b_for_life_04/|2/|wtv-printer-mfr-code/|-1/|2/|wtv-printer-model-code/|-1/|1/|wtv-printer-black-pen-code/|0/|1/|wtv-printer-color-pen-code/|0/|9/|wtv-client-time-zone/|PST -0800/|2/|session-country/|US/|24/|wtv-session-key1/|Q1VecbKp43JKN9Z57/6pQg==/|24/|wtv-session-key2/|13fF8748HiDyxzTd/I4rXw==/|21/|wtv-user-connection-id/|1; 5D8C5060:0007967E;/|21/|wtv-user-session-id/|1; 5D8C5055:000E4215;/|32/|wtv-MD5-digest/|9d4a78043e666b70709a391e20ecb559/|
From what we can infer, this format stores properties pertaining to a subscriber/user's account, billing, and session information. All individual data is separated by a delimiter (/|), and to define the amount of properties available, the first field is the number of properties in the current ticket.
Properties themselves are stored as delimited type-length-value tuples:
+================+=================+==================+ | value length | property type | property value | +================+=================+==================+
Known Ticket Property Types
| Name | Type | Description |
|---|---|---|
| ANI | string | ??? |
| wtv-chat-restriction | integer | ??? |
| wtv-client-serial-number | string | SSID linked to ticket. |
| wtv-client-time-zone | string | Time zone. Not sure if it's of the subscriber/user's location or the service. |
| wtv-human-name-first | string | First name of account linked to the ticket. |
| wtv-human-name-last | string | Last name of account linked to the ticket. |
| ip | string | IP address (possibly of the active account). |
| wtv-MD5-digest | string | ??? |
| wtv-messenger-authorized | boolean | Possibly a flag for whether Messenger is enabled on the WebTV/MSN TV account. |
| wtv-printer-black-pen-code | integer | ??? |
| wtv-printer-color-pen-code | integer | ??? |
| wtv-printer-mfr-code | integer | ??? |
| wtv-printer-model-code | integer | ??? |
| wtv-programs | string | ??? |
| service-tier | integer | ??? |
| session-country | string | ??? |
| wtv-session-key1 | BLOB | First RC4 session key (client -> server) for the WebTV/MSN TV user's session. Used for SECURE communication in WTVP. Also present in the wtv-challenge from the headwaiter challenge/response process.
|
| wtv-session-key2 | BLOB | Second RC4 session key (server -> client) for the WebTV/MSN TV user's session. Used for SECURE communication in WTVP. Also present in the wtv-challenge from the headwaiter challenge/response process.
|
| subscriber-billing-address | string | Billing address of WebTV subscriber. |
| subscriber-billing-city | string | City the WebTV subscriber resides in. |
| subscriber-billing-state | string | State the WebTV subscriber resides in. |
| subscriber-billing-status | string | ??? |
| wtv-subscriber-category | string | ??? |
| subscriber-country | string | Country the WebTV subscriber resides in. |
| wtv-subscriber-id | ??? | ??? |
| subscriber-is-canceled | boolean | ??? |
| subscriber-phone-day | string | Phone number of WebTV subscriber. |
| subscriber-zip | integer | ZIP code of WebTV subscriber. |
| traxs-temp-access | integer(?) | ??? |
| traxs-time-stamp | string | ??? |
| traxs-passwd-hash | string | ??? |
| tricks-access-level | integer | Related to access level to Tricks service(?). Need more documentation on this. |
| user-is-the-subscriber | boolean | Flag that specifies if the user linked to the ticket is the subscriber(?). |
| wtv-user-connection-id | string | ??? |
| wtv-user-session-id | ??? | ??? |
| wtv-user-id | string | Possibly the user ID of the account linked to the ticket. |
| wtv-user-name | string | Username of account linked to the ticket. |
| user-list | string | ??? |
"wtv-service-cookie"
While not directly related to tickets, there is another authorization value sent by the headwaiter when a box logs in: wtv-service-cookie. At the moment the use of this value is unknown, but the form of this value sent to the box (Base64-encoded BLOB) is encoded in a way similar to tickets. When decoded, they have data formatted like this:
01CREATEDT/|1569458346/|/|initial/|initial/|/|
While using a scheme similar to decoded tickets, the format of the decoded service cookies are unclear, and unless we get a hold of more insider information, we might never know.